950 Euro transfer to Intesa Sanpaolo

We analyzed a spam theme distributed from Cutwail SpamBot that is used theme of “950 Euro transfer to Intesa Sanpaolo” on April 04, 2013:

Spam Subject(s):

Si deve essere attestato a 950,00 à dal tuo conto corrente bancario presso Intesa anPaolo.
Richiesta di ammortamento di à 950,00 dal conto bancario di Intesa SanPaolo
Gli ammortamenti delle 950,00 à dal tuo conto bancario in Intesa SanPaolo
à 950,00 sono dal vostro conto di Intesa SanPaolo ammortizzato in 24 ore

Spam Template:

<!DOCTYPE html PUBLIC “-//W3C//DTD HTML 4.01 Transitional//EN”>
<HTML><HEAD><TITLE></TITLE>
</HEAD>
<BODY>

Gentile Cliente, <br>
Abbiamo ricevuto la richiesta di ammortamento di à 950,00 dal proprio conto bancario in Intesa SanPaolo per risolvere la consegna dei documenti. <br>L’ammortamento dei fondi e la trasmissione di documenti ulteriori fatto in 24 ore.<br><br>
<a href=”hxxp://herr-pferd.de/info1.html”>Vedi i dettagli dell’ordine </a> <br>
Cordiali saluti, Servizio clienti sostegno della Intesa SanPaolo Banca.<br>
</BODY></HTML>

Hostile URL(s):

hxxp://herr-pferd.de/info1.html
hxxp://nwernau.de/info1.html
hxxp://soswciechanow.home.pl/info1.html
hxxp://www.glueckauf-altenburg.de/info1.html
hxxp://nyhus.dk/info1.html
hxxp://barake.de/info1.html
hxxp://renata.weihs.w.interia.pl/info1.html
hxxp://vinkraj.narod.ru/info1.html
hxxp://mmjackofm.w.interia.pl/info1.html
hxxp://217.170.66.122/info1.html
hxxp://209.41.177.143/info1.html
hxxp://www.skemadtc.it/info1.html
hxxp://kumballa.de/info1.html
hxxp://www.samba-loco.de/info1.html
hxxp://brauerildiko.hu/info1.html
hxxp://public.dataproject.com/info1.html
hxxp://www.nationalhymne.de/info1.html
hxxp://angstrem.com.pl/info1.html
hxxp://mojdziennik.cba.pl/info1.html
hxxp://eleganceshop.home.pl/info1.html
hxxp://xchange.thegateworldwide.com/info1.html
hxxp://www.burningwick.pwp.blueyonder.co.uk/info1.html
hxxp://jwjoomla.cwsurf.de/info1.html
hxxp://www.agliati.it/info1.html
hxxp://best-nk.c0.pl/info1.html

The text ‘Vedi i dettagli dell’ordine’ contains a hyperlink to one of the URLs listed above. This page contain an encoded script which is used to redirect to a Blackhole exploit kit v 2.x at hxxp://23.advertisingspecialties.biz/news/wanting_book_switch.php. This BH kit is hosted at IP address 96.126.106.62 at the time of this writing.

The kit attempts to download the following files/exploits:

hxxp://23.advertisingspecialties.biz/news/wanting_book_switch.php?tsltj=1l:30:1l:32:32&gmon=3j&eyoyoeuy=1o:30:32:30:1h:1j:1i:1f:1n:33&ggievtn=1o:1d:1f:1d:1f:1d:1f
Name: a4ccf.pdf
Identifier: CVE-2010-0188 exploit
Type: PDF document, version 1.6
Size: 9895 bytes
MD5sum: 1ef1040ba77c13ddc268ca34a4b030c6

If exploitation is successful, it redirects to hxxp://23.advertisingspecialties.biz/news/wanting_book_switch.php?fvpcpp=1l:30:1l:32:32&irzg=1o:30:32:30:1h:1j:1i:1f:1n:33&phrua=1i&nlcdd=obmoxwk&fdrehtz=gfyuft, a Pony variant with the following properties is downloaded:

Name: contacts.exe
Identifier: Pony downloader
Type: PE32 executable for MS Windows (GUI) Intel 80386 32-bit
Size: 150,528 bytes
MD5: c42105cc624659827773cb62de516d5a

Pony downloader posts to its dropzone at:

hxxp://3ecompany.com:8080/forum/viewtopic.php

hxxp://23.advertisingspecialties.biz/forum/viewtopic.php

hxxp://23.area-plumbing-company.com/forum/viewtopic.php

hxxp://23.debtfreein100days.com/forum/viewtopic.php

 

Pony downloader was configured to download Gameover Zeus payloads from following locations:

1. hxxp://agarest.com/dckWfjue.exe
2. hxxp://kj-supply.com/JUz8cnK.exe
3. hxxp://chadgunderson.com/ZUmJx.exe

Gameover installes in %APPDATA%\Ppro\rfluo.exe and had following file properties:

File: rfluo.exe
Size: 376,832 bytes
MD5: 6e65ca8fa550b03d1f377cc1c685abd8
Build TimeStamp: 2013-03-16 18:17:58
Language Code: Russian
Character Set: Unicode
Company Name: Корпорация Майкрософт
File Description: Монитор устройств неподвижных изображений
File Version: 5.1.2600.5512 (xpsp.080413-0852)

The Gameover variant had a botid of “candyshop” and cid of 8888. Following P2P Drones were found embedded inside the Gameover Zeus payload:

178.122.63.254:26281
99.54.188.39:17053
78.166.181.174:25812
49.49.77.245:11443
95.58.110.195:28758
94.240.224.115:27794
147.8.213.30:18592
95.104.51.216:25833
194.94.127.98:25549
176.73.238.72:22869
69.77.132.197:20764
75.6.222.103:11577
71.136.48.91:22174
203.128.247.114:29667
186.96.66.82:17103
63.139.177.211:11505
78.139.187.6:14384
198.101.63.2:13725
90.176.158.215:15920

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: